Today I found that my 22-bay Synology RackStation has been hacked and that the resource monitor on the main web interface was tampered with – I guess to hide the massive resource usage from the hackers who ran BitCoin mining software

I got suspicious when my Rack Station started to seem really slow when running Download Station – I logged in via ssh and ran TOP and saw 3 processes using 25% CPU – they were called PWNEDm and connected to an IP address of 46.244.18.176 on tcp port 9555

After some investigation I found the rogue folder (/PWNED) – It seem to download payload from here: http://65.36.55.70:5000/jynx2.so

I was able to kill the three tasks and delete the folder – nothing else could be found so I think it’s gone; although it has modified some files and I am not sure of the exact full extent yet.

The tasks were called PWNEDm – upon looking at this with a hex editor it is clearly just “mined” renamed – a Linux BitCoin miner

What is scary is that they seem to know that they were running on a DiskStation as some of the files/scripts appear to reference Synology file paths so they can overwirte files and hide their presence.

I am reluctant to reboot as maybe some Synology files are damaged — I can already see a few scripts such as:

These appear to overwrite some Synology files and perform other mischief

Before I reboot, what I would like to know is if I look at all the scripts and note down all the files they modify could I copy “clean” files from my DS214+ to my RackStation 2212+ ???

I do have pretty tight password set too — containing numbers, letters and some punctuation chars — very weird! I only allow outside access to the Download Station plugin, and only to a few friends who have their own account and string passwords – in the meantime I’ve blocked it at my firewall and added firewall blocks on the two IP addresses mentioned above, just in case!

I will follow this up on the Synology forum – For those that wanted the PWNED folder to analyse it you can find it here: Syno-PWNED

Update: There seems to be two versions.

The one I found (user ‘smmsp’ with multiple PWNEDm process running – actually a program called mined that’s been renamed , no other apparent damage besides tampering with some Synology web-interface files ot hide it’s CPU activity. Seems to all be started form a user called smmsp (Sendmail user – listed in the /etc/passwd file)

There also seems to be another variant that actively looks for username/passwords in places such as /etc/ddns.conf, adds a folder called /volume1/startup with a Pearl script to activate itself. This one also seems to tamper with some rudimentary command line tools such as ls, cat and top to prevent removal.

I just discovered my DiskStation was hacked. Thanks for the write up. I’m just beginning investigation and will post here if I find out anything more. I’m most curious what vuln they exploited. Looking in the logs doesn’t show anything obvious.